design of sms commanded-and-controlled and p2p … · design of sms commanded-and-controlled and...
TRANSCRIPT
Design of SMS Commanded-and-Controlled andP2P-Structured Mobile Botnets
Yuanyuan Zeng, Kang G. Shin, Xin HuThe University of Michigan, Ann Arbor, MI 48109-2121, U.S.A.
{gracez, kgshin, huxin}@eecs.umich.edu
Abstract—Botnets have become one of the most serious securitythreats to the Internet and personal computer (PC) users.Although botnets have not yet caused major outbreaks in mobilenetworks, with the rapidly-growing popularity of smartphonessuch as Apple’s iPhone and Android-based phones that storemore personal data and gain more capabilities than earlier-generation handsets, botnets are expected to move towards thismobile domain. Since SMS is ubiquitous to every phone and candelay message delivery for offline phones, it is a suitable mediumfor command and control (C&C). In this paper, we describehow a mobile botnet can be built by utilizing SMS messagesfor C&C, and how different P2P structures can be exploitedfor mobile botnets. Our simulation results demonstrate that amodified Kademlia—a structured architecture—is a better choicefor a mobile botnet’s topology. In addition, we discuss potentialcountermeasures to defend against this mobile botnet threat.
I. INTRODUCTION
Botnets have become a most serious security threat to theInternet and the personal computer (PC) world. Although theyhave not yet caused major outbreaks in the mobile world,attacks on cellular networks and devices have recently grownin number and sophistication. With the rapidly-growing popu-larity of smartphones, such as the iPhone and Android-basedphones, there has been a drastic increase in downloading andsharing of third-party applications and user-generated content,making smartphones vulnerable to various types of malware.Smartphone-based banking services have also become popularwithout protection features comparable to those on PCs, en-ticing cyber crimes. There are already a number of reports onmalicious applications in the Android Market [1]. Although theAndroid platform requires that applications should be certifiedbefore their installation, its control policy is rather loose—allowing developers to sign their own applications—so thatattackers can easily get their malware into the Android Market.The iPhone’s application store controls its content more tightly,but it fails to contain jailbroken iPhones which can installany application and even run processes in the background. Assmartphones are increasingly used to handle more personalinformation with more computing power and capabilities butwithout adequate security and privacy protection, attacks tar-geting mobile devices are becoming more sophisticated. Sincethe appearance of the first, proof-of-concept mobile worm,Cabir, in 2004, we have witnessed a significant evolution ofmobile malware. The early malware performed tasks, such asinfecting files, replacing system applications and sending outpremium-rate SMS/MMS messages. One malicious program
is usually capable of only one or two functions. Although thenumber of mobile malware families and their variants has beengrowing steadily over the recent years, their functionalitieshave remained simple until recently.
SymbOS.Exy.A trojan [2] was discovered in February 2009and its variant SymbOS.Exy.C resurfaced in July 2009. Thismobile worm, which is said to have “botnet-esque” behaviorpatterns, differs from other mobile malware because afterinfection, it connects back to a malicious HTTP server andreports information of the device and its user. The Ikee.Bworm [3] targets jailbroken iPhones, and has behavior similarto SymbOS.Exy. Ikee.B also connects to a control server viaHTTP, downloads additional components and sends back theuser’s information. With this remote connection, it is possiblefor attackers to periodically issue commands to and coordinatethe infected devices to launch large-scale attacks. Consideringthis potential, botnets will likely soon become a serious threatto smartphone users. Researchers have also envisioned thisthreat. Two recent papers [4], [5] dealt with mobile botnets.The former characterizes and measures the impact of the largescale Denial-of-Service (DoS) attacks by mobile bots, whilethe latter evaluates using Bluetooth as a vehicle for botnetC&C.
In this paper, we propose the design of a mobile botnet thatmakes the most of mobile services and is resilient to disrup-tion. Within this mobile botnet, all C&C communications aredone via SMS messages since SMS is available to almost everymobile phone. To hide the identity of the botmaster, there areno central servers dedicated to command dissemination that iseasy to be identified and then removed. Instead, we adopt aP2P topology that allows botmasters and bots to publish andsearch for commands in a P2P fashion, making their detectionand disruption much harder.
Our contributions are three-fold. First, to the best of ourknowledge, this is the first attempt to design mobile botnetswith a focus on both C&C protocol and topology. The mainintent of this work is to shed light on potential botnet threatstargeting smartphones. Since current techniques against PCbotnets may not be applied directly to mobile botnets, ourproposed mobile botnet design makes it possible for securityresearchers to investigate and develop new countermeasuresbefore mobile botnets become a major threat. Second, tocommand and control mobile bots, the proposed mobile botnetutilizes SMS messages, a unique but widely-used service forsmartphones. This protocol has not yet been adopted as a C&C
channel by attackers, but we demonstrate its feasibility andbenefits. Third, we test and compare two P2P architecturesthat can be used to construct the topology of our mobile botneton an overlay simulation framework, and finally propose thearchitecture that best suits mobile botnets.
The remainder of the paper is organized as follows. SectionII details the proof-of-concept design of our mobile botnet.Section III presents our simulation and evaluation results.Section IV discusses potential countermeasures against themobile botnets. Section V describes the related work. Thepaper concludes with Section VI.
II. MOBILE BOTNET DESIGN
We now present the detailed design of a proof-of-conceptmobile botnet. The botnet design requires three main com-ponents: (1) vectors to spread the bot code to smartphones;(2) a channel to issue commands; (3) a topology to organizethe botnet. We will briefly overview approaches that can beused to propagate malicious code and then focus on C&C andtopology construction.
A. Propagation
The main approaches used to propagate malicious code tosmartphones are user-involved propagation and vulnerabilityexploits.
In the first approach, the most popular vector is socialengineering. Like their PC counterparts, current smartphoneshave frequent access to the Internet, becoming targets ofmalicious attacks. Thus, spam emails and MMS messageswith malicious content attachments, or spam emails and SMSmessages with embedded links pointing to malicious websiteshosting the malicious code, can easily find their way into amobile phone’s inbox. Without enough caution or warning, amobile phone user is likely to execute the attachments or clickthose links to download malicious programs. The advantage ofsuch schemes is that they can reach a large number of phones.Nevertheless, as smartphones run on a variety of operatingsystems, we expect multiple versions of bot code preparedto guarantee its execution. Another user-involved propagationvector can be Bluetooth, which utilizes mobility. Mobile phoneusers move around so that the compromised phones can useBluetooth to search for devices nearby and after pairing withthem successfully, try to send them malicious files.
Exploiting vulnerabilities to spread malicious code is com-mon in the PC world. However, since there are variousmobile platforms and most of them are closed-source, it isdifficult to find vulnerabilities in real deployments. To date,numerous vulnerabilities have been discovered by the researchcommunity. For example, the HTC’s Bluetooth vulnerability,which allows an attacker to gain access to all files on a phoneby connecting to it via Bluetooth, was disclosed by a Spanishsecurity researcher [6]. Mulliner et al. [7] discovered a way ofdirectly manipulating SMS messages on different mobile plat-forms, without necessarily going through the mobile provider’snetwork. In both cases, OS vendors immediately releasedpatches to the public after the vulnerabilities were published,
allowing few opportunities for a real exploit in the wild. Oncelaunched in their targets, vulnerability exploits always have ahigher success rate than that of user-involved approaches. Asmobile platforms open up and mobile applications and servicesbecome abundant, vulnerability exploits will play a major rolein mobile malware propagation.
B. Command and Control
In our mobile botnet, SMS is utilized as the C&C channel,i.e., compromised mobile bots communicate with botmastersand among themselves via SMS messages. Botnets in the PCworld mostly rely on IP-based C&C delivery. For example,traditional botnets use centralized IRC or HTTP protocol,whereas newly-emerged botnets take advantage of P2P com-munication. Unlike their PC counterparts, smartphones canhardly establish and maintain steady IP-based connectionswith one another. One reason is that they move aroundfrequently. Another reason is that private IPs are normally usedwhen smartphones access networks, especially EDGE and3G networks, meaning that accepting incoming connectionsdirectly from other smartphones is a difficult task. Given thislimitation, if a mobile botnet considers an IP-based channelas C&C, it needs to resort to centralized approaches in whichbots connect to central servers to obtain commands. Suchapproaches, however, are vulnerable to disruption becausethe servers are easy to be identified by defenders. Thus, toconstruct a mobile botnet in a more resilient manner, a non-IP-based C&C is needed.
There are a few advantages for choosing SMS as a C&Cchannel. First, SMS is ubiquitous. It is reported that SMStext messaging is the most widely used data application onthe planet, with 2.4 billion active users, or 74% of all mobilephone subscribers sending and receiving text messages on theirphones [8]. When a mobile phone is turned on, this applicationalways remains active. Second, SMS can accommodate offlinebots easily. For example, if a phone is turned off or haspoor signal reception in certain areas, its SMS communicationmessages will be stored in a service center and delivered oncethe phone is turned back on or the signal becomes available.Third, malicious content in the C&C communication can behidden in SMS messages. According to a survey in China [9],88% of the phone users polled reported they had been plaguedby SMS spamming. As SMS spamming becomes prevalent,bots can encode commands into spam-looking messages sothat users will not suspect. Last but not least, currently thereare multiple ways to send and receive free SMS messagesdirectly on smartphones [10], [11] or through some webinterfaces. We will describe such methods in Section II-B2.Even when the free texting is unavailable, as many phoneusers use SMS plans to avoid per-message charge and insome countries incoming messages are free of charge, withthe design goal of minimizing the number of SMS messageswe expect that using SMS as C&C will not incur considerablecosts.
1) Protocol Design: Our goal is to let a phone that hasinstalled our bot code perform activities according to the
2
Your paypal account was hijacked (Err msg:
NzkxMjAzNDIxODExMDUyM183Mz).
Respond to http://www.bhocxx.paypal.com
using code Q3MDk2NDUyXzEyMzQ1Njc4
Free ringtones download at
www.myringtone.com, using
username VIP, password
YTJiNGQxMWw to log on
FIND_NODE
7912034218110523 _7347096452
_12345678
SEND_SYSINFO
a2b4d11l
Fig. 1. Disguised SMS messages
commands in SMS messages without being noticed by theuser, if possible. In our design, every compromised phone hasan 8-byte passcode. Only by including this passcode into theSMS messages, can other phones successfully deliver C&Cinformation to this particular phone. Upon receipt of a SMSmessage, this phone searches for its passcode and pre-definedcommands embedded in the message to tell if it is a C&Cmessage. If found, the commands are immediately executedby the phone. Two issues need to be addressed here. First, howare passcodes allocated among compromised phones? Second,how to make C&C SMS messages appear harmless so thatusers may not notice the malicious content?
In our botnet, passcodes are allocated by botmasters to seg-ment a botnet into sub-botnets, each with a different function.For example, one sub-botnet is responsible for sending outspam messages, while another is in charge of stealing personaldata and transferring them to a malicious server. Each sub-botnet will be identified by its unique passcode that is hard-coded into the bot’s binary. In other words, all bots withinthe same sub-botnet share the same passcode so that they cancommunicate with one another and also with the botmaster.Using a unique passcode for each bot will be more securethan using one passcode for an entire sub-botnet because inthe latter case, the passcode will be discovered more easily.However, there is a tradeoff: using a unique passcode will addmore overhead due to the pairwise passcode exchange beforeeach communication. The additional cost is undesirable sinceour goal is to minimize the number of SMS messages to besent.
Not only do we require a passcode included in each SMScommunication message, but also we encode commands tomake it difficult for a user to figure them out. In fact, onthe Android platform, it is possible for an application to sendout SMS messages stealthily, to get immediate notificationof every incoming SMS message by registering itself as abackground service and to read and execute commands or evendelete the message before the user sees it. We still want tohide the C&C messages because other mobile platforms aremore restricted than Android; they may not allow our bots toboth send and receive SMS messages without notifying theuser. If malicious messages show contents directly, they willbe easily captured and manipulated by defenders. To evadesuch detection, we want to make a command-embedded SMSmessage look like a common message such as a spam message.
There are benefits of using spam-like messages to transmitC&C. As pointed out in [12], cellular carriers cannot simplyblock offending SMS messages because the senders have paidfor the messages and the carriers fear permanent deletion oflegitimate messages when there are no spam folders available.We will present a real-world experiment in Section III-C. Evenif in the future the carriers filter out spam messages and dumpthem into spam folders, similar to the email filtering, spammessages can still reach the target phones by going to thespam directory, which actually helps hide the C&C becauseusers tend to ignore spam.
Considering the fact that each SMS message only containsup to 160 characters, commands in our botnet are concise.For example, “FIND NODE” instructs a bot to return thephone numbers of certain nodes; “SEND SYSINFO” asksa bot to reply with system information. To disguise mes-sages, each command is mapped to one spam template.Additional information such as the phone number and theaforementioned passcode are variables in the templates, andthey are Base64-encoded. Figure 1 shows two disguised SMSmessages. The first one is a “FIND NODE” message (146characters) with passcode 12345678 requiring the recipientto locate a bot whose ID is 7912034218110523, and theresult should be returned to the bot whose phone num-ber is (734)7096452. NzkxMjAzNDIxODExMDUyM183Mzand Q3MDk2NDUyXzEyMzQ1Njc4—two random strings to-gether—are the Base64-encrypted 7912034218110523 734709645212345678. The entire encoded string is split into two—
disguising one as an error message and the other as a code—making it resemble a spam message. The second exam-ple is a “SEND SYSINFO” message (98 characters) witha passcode a2b4d11l. This template is different from thatof “FIND NODE” message. The passcode is also Base64-encoded and appears as a password in the disguised message.To decode messages, each bot keeps a command-templatemapping list. Since only tens of commands are needed in ourbotnet, this list is not long. To make detection harder, onecommand message can correspond to different spam templatesand the templates can be updated periodically. As shown,a command along with additional information can be easilyembedded into one SMS message which appears to be a spam,familiar to today’s phone users, so it is likely that users ignoresuch messages even if they open and read them. If users choose
3
to delete these messages, it will not cause any problem becausethe commands have already been executed upon their receipt.Without monitoring phone behaviors or reverse engineering,defenders may have difficulty in figuring out the mappingbetween spam templates and commands.
2) Sending SMS Through the Internet: Although sendingSMS messages through the cellular networks is always pos-sible, the botmasters want to hide their identity and lowercosts as much as possible. To achieve this goal, botmasters canuse the Internet to disseminate C&C messages to the mobilebotnet. There are several ways to do so. Many advertisement-based websites provide free SMS services. Botmasters cantype in messages via these websites and have them sent tomobile bots, feasible for low volume messaging. Using suchservices does not require sender’s mobile number, an emailaddress is sufficient if reply is expected. If the botnet is large,botmasters need to create an account with mobile operatorsor SMS service providers to make high volume messagingpossible at the lowest price. Usually, this can be done bysending and/or receiving SMS messages via email througha SMS gateway connecting directly to a Mobile Operator’sSMSC (Short Message Service Center). Currently, smartphoneapplications such as [10], [11] offer free domestic and interna-tional text messaging when the phone is connected to a WiFiand support both one-on-one and group texting. The user onlyneeds to provide a screen name to send and receive messageswithout revealing its identity. Both the botmasters and bots cantake advantage of such a service whenever possible to avoidmessaging costs.
To sum up, using SMS messages as the C&C is a viablesolution for a mobile botnet. Not only is SMS ubiquitous toevery mobile phone, but botmasters and bots are also able todisguise SMS messages, send bulk messages from the Internetwith little cost while hiding their identities. Thus, using SMSis both economical and efficient for the botnet.
C. Mobile Botnet Topology
In the previous section we have described the way SMSmessages form the C&C communication in our mobile botnet.In what follows, we introduce P2P topologies that may beutilized to organize the botmaster and bots for publishing andretrieving commands, and describe how to leverage existingP2P architectures to meet the need for mobile botnet con-struction.
1) Possible Topologies: Similar to botnets in the PC world,a mobile botnet can be structured in a traditional centralizedway or in a newly-emerged decentralized P2P fashion. In thefirst approach, botmasters hard-code into each bot’s executablea set of phone numbers that are under their direct control.When a mobile phone is converted to a bot, it contactsthose hard-coded phones to request commands or wait forcommands to be pushed to them. Such a centralized topologyis easy to implement but not resilient to disruption. Obviously,once defenders obtain these phone numbers, they can trackdown the botmasters and then disable the botnet; the problem
is known as single-point-of-failure. To make our botnet robustto defenses, we adopt a P2P structure instead.
Currently, there are several structures for P2P networks; theycan be divided into three categories: centralized, decentralizedbut structured, and unstructured. Centralized P2P networkshave a constantly-updated directory hosted at central locations.Peers query the central directory to get the addresses of peershaving the desired content. This structure is similar to thetraditional centralized botnet architecture and hence vulnerableto the central-point-of failure. Decentralized but structured P2Pnetworks have no central directory and contents are not placedat random nodes but at specific locations. The most commonsystems in this category are Distributed-Hash-Table (DHT)-based P2P networks ensuring that any peer can efficiently routea search to some peer with the desired content. One notableimplementation is Kademlia [13], used by several current P2Papplications, such as eMule and BitTorrent. Decentralized andunstructured P2P networks have neither central directories norcontrol over content placement. If a peer wants to find certaincontent in the network in old protocols such as Gnutella, ithas to flood its query to the entire network to find peerssharing the data. To address the scalability issues, currentunstructured networks adopt different query strategies to avoidflooding. There have also been extensive studies on how tomake Gnutella-like systems scalable. One such design is Gia[14].
2) Design: Both structured and unstructured P2P architec-tures can be modified to suit our need for the mobile botnetbecause their decentralized nature hides the botmaster’s iden-tity. Since the mobile botnet design should consider not onlyrobustness but also feasibility and efficiency on smartphones,we need to compare these two architectures to see which ismore suitable. Specifically, we base our structured and un-structured botnet topology on Kademlia and Gia, respectively,for comparison. Note that in our botnet, bots obtain commandsmainly in a pull style, i.e., the botmaster publishes commandsand bots are designed to actively search for these commands.The other possible mechanism for command transfer is push,meaning that bots passively wait for commands. We preferpull to push because push will get malicious activities exposedeasily. That is, under push many SMS messages are sentout from one or a few central nodes, whereas pull can beimplemented in a more distributed fashion. In what follows,we overview each protocol and describe our design.
Kademlia is DHT-based and has a structured overlay topol-ogy, in which nodes are identified by node IDs generatedrandomly and data items are identified by keys generated froma hash function. Node IDs and keys are of the same length(128-bit). Data items are stored in nodes whose IDs are closeto data items’ keys. The distance between two identifiers, xand y, is calculated by bitwise exclusive or (XOR) operation:d(x, y) = x⊕y. For each 0 ≤ i < 128, each node keeps a listfor nodes of distance between 2i and 2i+1 from itself. Thislist is called a k-bucket, and can store up to k elements. Thereare four types of RPC messages in Kademlia: PING, STORE,FIND NODE and FIND VALUE. PING checks whether a
4
node is online. STORE asks a node to store data. FIND NODEprovides an ID as an argument and requests the recipientto return k nodes closest to the ID. FIND VALUE behavessimilarly to FIND NODE. The only exception is that whena node has the data item associated with the key, it returnsthe data item. Since there is no central sever, each node has ahard-coded peer list in order to bootstrap into the network.
Considering the differences between smartphones and per-sonal computers as well as the SMS C&C channel we adopt,we modify Kademlia’s design to be suitable for our mobilebotnet’s structured overlay construction. First, we do not usePING messages to query whether a node is alive and shouldbe removed from its k-bucket. One reason for this is that SMSmessages transmitting C&C can always reach their recipientseven if these phones are not online (messages are stored inthe SMSC for later delivery). The other reason is that ourdesign tries to minimize the number of messages sent andreceived. Removing PING messages effectively reduces C&Ctraffic and thus, the possibility of being noticed by phone usersand defenders. Second, instead of being randomly generated,a node ID is constructed by hashing its phone number, similarto the notion in Chord [15] that a node ID is the hash of itsIP address. Doing so can undermine the effectiveness of Sybilattacks in which defenders add nodes to join the botnet todisrupt C&C transmission. Evidently, if node IDs are allowedto be randomly chosen, defenders will take advantage of thisby selecting IDs close to command-related keys to ensure ahigh probability that these sybil nodes are on the route ofcommand search and publish queries. In addition, the absenceof an authentication mechanism in Kademlia, meaning thatanyone can insert values under specific keys, presents anopportunity for defenders to launch index poisoning attacksby publishing fake values under command-related keys oncethey know these keys, in order to disrupt C&C. We thus usea public key algorithm to secure the command content. Whilepublishing a command, the publisher (the botmaster) needs toattach a digital signature to that command. The signature is thehash value of the command signed by the botmaster’s privatekey. Its corresponding public key is hard-coded in each bot’sbinary. In this way, bots that will store the command are ableto verify that the command is indeed from the botmaster notanyone else.
Gia improves Gnutella protocol and has an unstructuredoverlay topology. Since Gnutella has a scaling problem due tothe flooding search algorithm, Gia modifies Gnutella’s designand improves its scalability significantly. There are four keycomponents in Gia’s design: (1) a topology adaptation protocolto put most nodes within short reach of high-capacity (able tohandle more queries) nodes by searching and adding high-capacity and high-degree nodes as neighbors; (2) an activeflow control scheme to avoid overloaded nodes by assigningflow-control tokens to nodes based on capacity; (3) one-hopreplication to maintain pointers to the content offered byimmediate neighbors; (4) a search algorithm based on biasedrandom walks directing queries to nodes that are likely toanswer the queries.
Our design of unstructured overlay topology is based onGia as mentioned before. Our design removes the one-hopreplication scheme because it requires each node to indexthe content of its neighbors and to exchange this informationperiodically. This scheme may help reduce the number of hopsfor locating a command, but will incur additional storage andcomputation overheads. Moreover, each SMS message hasa limited length so that the exchange of index informationcannot be done with a single message but requires multiplemessages, increasing the number of messages generated. Inour mobile botnet, the drawbacks of using such a scheme willoutweigh its benefits, and we thus opt out of this scheme.Three other components are important to our botnet becausetheir combination ensures queries to be directed to high-capacity nodes that can provide useful responses withoutgetting overloaded. This is desirable, especially in a mobilephone network, since smartphones also have different capac-ities under different situations. For example, in a poor-signalarea or when the phone is on a voice call (SMS messagesuse the same control channel as voice calls for delivery), thephone’s capability of handling SMS messages is lowered, soit can only answer fewer queries. Overloading mobile botsis also a concern. If one bot receives/sends a large number ofSMS messages during a short period of time, its battery can bedrained quickly, and draw the user’s attention. Overloading canbe prevented using the flow-control scheme in Gia. Anotherdesign choice worth mentioning is that similar to the modifiedKademila, a digital signature is attached to every command tobe published.
III. EVALUATION
A. Comparing Two P2P Structures
We now describe our simulation study of structured andunstructured P2P architectures for mobile botnets and comparetheir performances. In the simulation, all nodes are assumed tohave already been infected by the vectors described in SectionII-A. Our evaluation focus is not on how the malicious botcode propagates, but on how the botnet performs under twodifferent P2P structures.
We modified OverSim [16], an open-source overlay networksimulation framework, to simulate mobile botnets with thetwo P2P structures. While comparing P2P structures’ perfor-mances, logical connections (SMS activities) among mobilenodes matter most, i.e., what we care is the overlay networknot the underlying physical network. For example, the fact thatmobile bots move around is not important in our simulationbecause the change of geographic location hardly affects bots’SMS message sending/receiving.
The metrics we use to measure performance are: number ofoverlay hops needed for a command lookup; total number ofSMS messages sent (number of those sent = number of thosereceived) when a botmaster-issued command is acquired byevery node; percentage of total number of SMS messages sentby each node during this entire command-lookup; and messagedelay (from the start of the query until a command is received).These metrics reflect how well each architecture meets the
5
Fig. 2. CDFs of the number of hops needed for a command-lookup
Fig. 3. CDFs of the total number of messages sent to perform all lookups
requirement of our mobile botnet, namely, minimizing thenumber of SMS messages sent and received, load-balancingand locating commands in a timely manner.
The churn (participant turnover) model we adopted in thesimulation is the lifetime churn. In this model, on creation ofa node, its lifetime will be drawn randomly from a Weibulldistribution which is widely used to characterize a node’slifetime. When the lifetime is reached, the node is removedfrom the network. A new node will be created after a deadtime drawn from the same probability distribution function.We set the mean lifetime to 8*3600=28800s, assuming thateach phone will stay connected to the botnet for an averageof 8 hours. Considering the unavailability of real field data onmobile phones’ online behavior, we made this rough estimate.We will later evaluate the effect of different mean lifetimes onthe botnet performance.
Besides the aforementioned performance metrics, anotherimportant metric is scalability for which we simulated twobotnets with 200 and 2000 nodes, respectively. In each botnet,a command from the botmaster is published, and every nodeis designed to locate this command by issuing lookup queries.The simulation ends when all nodes successfully retrieve thecommand. In the structured botnet case, we ran the modifiedKademlia protocol, with k-bucket size k = 8 and the numberof nodes to ask in parallel α = 3. In the unstructuredbotnet case, we ran the modified Gia protocol, with minimumnumber of neighbors min nbrs = 3, maximum numberof neighbors max nbrs = 10 and maximum number ofresponses max responses = 1.
Now, we present and discuss the comparison results. For
each metric, we first look at the 200-node botnet and thenthe 2000-node botnet. Figure 2 plots the CDFs of the numberof hops needed to retrieve a targeted command. In the 200-node botnet, for the structured architecture, 97% of lookupscan be completed within 3 hops. The corresponding numberfor the unstructured botnet is 5 hops. In the 2000-node botnet,despite the increased network size, 99% of lookups under thestructured architecture are fulfilled within 4 hops, but underthe unstructured 8 hops are required. Figure 3 shows the CDFsof the total number of SMS messages sent from each nodewhen the command spreads to the entire botnet, which isthe total communication overhead. In the 200-node botnet,under the structured architecture, about 80% of nodes generatefewer than 15 messages during the entire period, while underthe unstructured architecture 69% of nodes can do so. Theaverage number of messages sent is 11 for the structured and15 for the unstructured, respectively. In the 2000-node botnet,with more nodes and more lookups, the message overheadunsurprisingly increases. 80% of nodes send fewer than 20messages (51% of nodes send fewer than 10 messages) forthe structured architecture with an average of 22 messagessent by each node. Only 40% of nodes send fewer than 20messages for the unstructured architecture with an average of44 messages.
From the above observations, we can see that the structuredbotnet, in general, requires fewer number of hops to locate acommand and incurs a lower message overhead on each nodethan the unstructured one does in both 200- and 2000-nodecases. Compared to the unstructured botnet, the structuredarchitecture also scales better, considering its slight increases
6
in the number of hops and messages when the botnet becomeslarge. This is expected because in a structured network, dataitems are placed at deterministic locations so that fewer hopsand query messages are required to locate the targeted data andthe network can accommodate a large number of nodes. Evenso, one may still wonder, in the structured 2000-node botnetwhere 20% of nodes send more than 20 messages while 80%of nodes send less than 20 messages, if the overhead incurredis a concern, since SMSC is able to observe much of the traffic.SMS market statistics show that: “In 2009, U.S. cell phonesubscribers sent and received on average 390 text messagesper month according to the Mobile Business Statistics [17].”We thus believe that tens of messages overhead per phonemay not draw much attention from the SMSC considering aphone’s normal messaging volume. If this surge of messageshappens around the same time from each mobile bot, it maybecome problematic. As most attacks such as informationstealing and spamming are not time-critical, bots do nothave to rush to get commands. For example, 30 maliciousmessages may cause suspicion within an hour, but they maynot attract much attention if they were spread over three days.To further minimize the number of messages sent/received,each mobile bot can be restricted by a threshold. If thenumber of messages reaches the threshold, the bot will stopsending/receiving messages. In our case, the threshold may be20 messages, under which 80% of nodes are still able to obtaincommands. The threshold can also be customized. If a bot hasfrequent normal SMS messaging behavior (e.g., nearly 3000texts per US teen per month in Q1 2009 [18]), its threshold ofallowing bot communication could be high since this phoneis very likely to use a SMS plan and a few blended maliciousmessages are less noticeable.
Figure 4 shows the histograms of load distribution oneach node, which is the percentage of total messages eachnode accounts for during the entire simulation. In the 200-node botnet, 76% of nodes in the structured botnet eachaccounts for 0.75% – 1.25% of total messages sent, whereasin the unstructured one, the percentage values are spreadout among different nodes ranging from 0.10% to 6%. Theaverage percentage for the structured one is 1.02% and forthe unstructured is 1.01%. To gauge the load-balancing moreaccurately, we calculated a metric defined as:
∑ni=1 |pi−p| (∗),
where n is the total number of nodes, pi is the load percentageat node i, and p is the average percentage across all nodes.The (∗) values for the structured and the unstructured are13.40% and 55.89%, respectively. In the 2000-node case, allnodes’ percentages in the structured botnet range from 0.05%to 0.25% while those in the unstructured botnet are distributedwithin 0.05% – 1.65%, although the average percentages forboth the structured and the unstructured are 0.07%. The metric(∗) values for the structured and the unstructured are 23.73%and 145.48%. The unstructured case varies more in loaddistribution leading to poor load-balancing, probably becauseGia uses schemes to direct most queries to a few nodes—forming hub nodes.
To estimate the actual delay of locating a command in our
mobile botnet, we measured one-hop latency by sending SMSmessages between two smartphones. We implemented a SMSsend/receive utility on the Android platform and installed iton two G1 phones: one connected to T-mobile and the otherto AT&T. The software continually sent out and receivedSMS messages between two phones and recorded the exacttimestamps. The intervals between two consecutive SMS mes-sages were chosen from 1 second to tens of minutes and themessage contents were also randomly generated with variouslengths to simulate the realistic SMS usage. During the entireexperiment, we sent out a total of 138 SMS messages andcollected the corresponding message delays, i.e., the differencebetween the time sending a message from one phone and thetime of receiving that message from the other phone. Figure 5depicts min/max/average message delays based on differentsending intervals (sending rates). We can see that when SMSmessages are sent frequently, the message delays vary a lotand have high average values. Take 1 second as an example.Under this interval, delays range from 15 to 205 seconds withan average of 60 seconds. Similar delay patterns occur whenthe interval is 5 seconds. The general trend is that as intervalsbecome larger, both delay average and variance drop, and thatwhen the interval is greater than 60 seconds, the delays becomestable.
Since mobile attacks such as confidential information steal-ing (especially related to credit card, account number, etc.) arenot time-sensitive, bots can send messages at relatively longintervals to shorten the delay and avoid detection. Using agreater than 1 minute sending interval’s delay, we now esti-mate the total delay for a command-lookup. Under structuredKademlia which uses iterative search, the estimated delay isgiven by AverageTotalDelay = 2×AverageHops×AverageOneHopDelay. When it comes tounstructured Gia which employs recursive search, the equationshould be the same. By plugging in the data we obtained,the estimated command-lookup delay is 17 seconds for thestructured and 36 seconds for the unstructured in the 2000-node botnet. (To be realistic, we only consider the large-scalescenario.)
The delays seem to be large compared to that of IP-basedconnections. As briefly mentioned before, our current designdoes not opt for IP-based C&C or existing IP-based P2Pnetworks for the following reasons. First, some smartphonesmay not have data plans, not always accessible to the Internet.Second, for smartphones with the Internet access, they caninitiate connections to retrieve commands from designatedservers but are likely to suffer from a single-point-of-failure.To work in a decentralized P2P fashion, mobile bots shouldbe able to accept incoming connections without any difficulty,which presents a challenge due to private IPs used in mostscenarios. A possible solution is to obtain assistance from athird-party such as a mediator server or a rendezvous server,adding complexity to the C&C. Since SMS is ubiquitousacross all mobile phones, using SMS as the C&C channelto construct a P2P structure is a feasible and reliable solutionfor mobile botnets. As future work, we can incorporate IP-
7
Fig. 4. Histograms of the percentage of total messages sent from each node
1 5 10 20 60+0
30
60
90
120
150
180
210
Mes
sage
Del
ay in
sec
onds
Interval between SMS messages (seconds)
Fig. 5. SMS message delays Fig. 6. CDFs of the number of hops for a command lookup under differentmean lifetimes (in sec)
based command-transfer into our botnet. For mobile botswithout network access, they transmit C&C exclusively viaSMS messages. For bots with network access, they can pullcommands from an IP-based P2P network. Such a networkconsisting of PCs can be either constructed by the botmasteror part of an existing P2P network. Doing so may help reducethe message overhead and the delay.
In summary, our simulation results show that the structuredarchitecture outperforms the unstructured one in terms oftotal number of messages sent, hops needed and delays fora lookup as well as load-balancing, although both the originalprotocols—Kademlia and Gia—have already been tailoredto our mobile botnet’s needs through several modifications.Thus, the structured architecture is indeed better suited forour mobile botnet.
B. Effect of Churn Rates
Now that we have chosen the structured architecture, wewould like to see the effect of different mean lifetimes orchurn rates on the number of hops for a command lookup,which directly affects the delay of locating a command. Tosee the trend, in a 2000-node botnet, we varied the meanlifetimes—100s, 1000s and 28800s. The higher the meanlifetime, the lower the churn rate. Presumably, a large meanlifetime indicates a relatively stable network in which fewersteps are needed to locate a command. This assumption isverified in our simulation. We can see that in Figure 6,differences, though minimal, exist among the three CDFs.
With the mean equal to 100s, the average number of hopsis 1.8; with the mean equal to 1000s, the average reduces to1.7; with the mean equal to 28800s, the average decreasesfurther to 1.4. It turns out that a higher churn rate does notdegrade much of the lookup performance.
C. Can Disguised C&C Messages Go Through?
One concern with our spam-like C&C messages is what ifthey are filtered and deleted by the service providers withoutreaching the recipients, which might be the only effective wayto mitigate SMS spam (spam-filtering at the end device is notuseful as the recipient needs to pay for the messages already).According to some sources [12], [19], mobile carriers do notautomatically block SMS spam because there is no spam folderwith SMS so that accidental deletion of legitimate messagesfrom the carrier’s side cannot be recovered by the users. Also,senders are presumably charged for these messages unlikeemails. To confirm this, we ran experiments to see whethercarriers will let our spam-like C&C messages pass through.Table I shows the spam templates for C&C, which are typicalspam messages. The random strings highlighted in grey arevariables such as passcodes and node IDs. We tried twomethods to send them: web-based and smartphone-based. Forthe first method, we sent all messages twice to an AT&T phonevia free texting service at Text4Free.net and txt2day.comrespectively. 100% of them reached the designated phone. Forthe second method, we wrote an application and installed iton an AT&T Samsung Captivate phone running Android OS
8
SMS (P bli h)
Node ID 1111 Node ID 0110Key 0111
Number 123!456!7890 Number 321!645!0978Passcode 8888
SMS message (Publish)
odeValue XXXX
Node ID 0010
Number 521!322!0765
SMS message (Search)
Node ID 0100
Number 521!633!0789Key 0111
Passcode 8888
SMS message (Search)
Node ID 0000
Number 331!645!0278
Node ID 0100
1
2
3
Fig. 7. Publish and Search
TABLE ISPAM TEMPLATES WITH VARIABLE FIELDS IN GREY
1 Your paypal account was hijacked (Err msg: NzkxMjAzNDlxODExMDUyM183Mz).Respond to http://www.bhocxx.paypal.com using code Q3MDk2NDUyXzEyMzQ1Njc4
2 Free ringtone download at www.myringtone.com, using username VIP, password YTJiNGQxMWw to log on
3 Dear Customer, your order ID dWFuaWRpb3Q is accepted. Please visit: www.xajq.apple.com for more info
4 Your business is greatly appreciated and we would like to award you a free gift.http://www.protending.com/ebay/anVzdDRmdW4
5 To confirm your online bank records, follow the link https://login.personal.wamu.com/logon.asp?id=YWhhaGFoYWg
6 Hey, come on - Purchase G.e.n.e.r.i.c V I A G R A! http://www.WQ9.wesiwhchned.com/default.asp?ID=MTA5MzIxMnc
7 Citi Users: This is an important step in stopping online fraud. Please verify your account athttps://www.citi.com.Y2Nzc3Vja3M/verify/
8 Hey alice, I forgot to tell you yesterday that the password to that account(MDkyMzkxMDM0OTgxMjAzN)should be 183MzQyNjIwOTM5XzUxOTQwMTI5
9 Don’t miss the chance to win an iPhone 4. Go to www.apple.hak/index.asp?id=OTAxMjc1MjM4OTExMTIzOD,password: QyXzQxNDMyMTg3MzlfNjQ4MTkyMDQ
10 Guess who is tracking your location info? Log on to www.whoistrackingme.com/index.asp?num=YWxqc2hmdy0
9
2.2. This application automatically sent the spam messages5 times at different times of a day to another AT&T phone.The application also kept track of whether a message wassent successfully. Out of the 50 messages, 48 messages weresent and delivered to the target phone and 2 messages failedto be sent due to some generic failure at sender’s phonethat had nothing to do with the carrier. Although we werenot able to thoroughly test every possible spam messageon different networks, our experimental results were in linewith the aforementioned reports and we believe that as fewspam-fighting mechanisms are in place, our disguised C&Cmessages can safely go through the network.
D. How Do SMS C&C and P2P Structure Become One?
Having an impression of how SMS transmits C&C messagesand how a structured P2P topology fits our mobile botnet, onemay want to know in detail the way we integrate both intothe mobile botnet. We now use a simplified example (Figure7) to illustrate the command publish and search process. Forillustration purpose, node IDs and data items’ keys are 4-bit long, and SMS messages transmitted are not disguised asspam. In this figure, node 1111 wants to publish certain data—a command—under the key 0111. Note that in Kademlia,data items are stored in nodes whose IDs are close to dataitems’ keys. To locate such nodes, node 1111 first sends SMSmessages to nodes in its hard-coded node list; these nodeshelp to obtain nodes closer to the target from their node lists.The process continues till no closer nodes could be found (thisprocess is omitted in the figure). Finally, node 1111 finds theclosest node 0110 (0110⊕0111 = 0001), so a publish messagecontaining the command’s key (0111), the encrypted command(XXXX) along with a passcode (8888) is sent to node 0110.After verifying the pre-defined passcode and command, node0110 stores this information so that later any node requeststhe command associated with key 0111 it is able to returnthis command. As for the search process, it is similar to thepublish process described. Node 0000 looks up a commandassociated with key 0111 and it has to find the node whoseID is closer to this key. Node 0000 first asks node 0010; node0010 points it to node 0100; node 0100 provides the closestone, node 0110. Node 0000 contacts node 0110 to request thecommand.
IV. DISCUSSION ON COUNTERMEASURES
Although we have focused on the design of a stealthy andresilient mobile botnet, we would like to discuss potentialdefensive strategies against this botnet and challenges in usingthese techniques.
Similar to the patching mechanism in the PC world, toprevent malicious code from infecting mobile devices byvulnerability exploits, OS vendors and software providersneed to push patches to end devices in a timely manner.Certification (only approved applications can be installed) isalso an important security measure, but it is far from beingperfect as some malware has been able to get around [20] asa disguised harmless application. To nip the mobile malware
in the bud, additional protection features are necessary. For ex-ample, Kirin [21] is designed for the Android-platform whosecertification process is not stringent; it provides applicationcertification at install time using a set of predefined securityrules that determine whether the security configuration bundledwith an application is safe. With the aid of Kirin, users maybe more cautious while installing applications.
Host-based approaches that detect malware at runtime couldalso serve as a solution. Signature-based detection is effectivebut cannot handle unknown or polymorphic malware. There-fore, we prefer use of behavior-based detection. Since our botssend SMS messages stealthily without the user’s involvementor awareness, the detector could first characterize the normalprocess of sending SMS messages by a system-call state-diagram and then keep monitoring the system calls that gen-erate outgoing messages to see if there is any deviation fromthe normal behavior. To detect incoming C&C messages, thedetector needs to know the encoding scheme probably throughbinary analysis so that it can tell which messages are maliciousand intercept and delete them before any application’s access.However, the botmaster can apply advanced packing andobfuscation techniques to make the binary analysis harder, andperiodically update the spam templates as well as the mappingbetween them and corresponding commands. In addition, host-level detection is susceptible to compromise by the malware,and consumes much resource.
Deploying detection schemes at SMSC is another possiblesolution. Compared to the host-level detection, this centralizedapproach can acquire a global view of all phones’ SMSactivities, although the information of each phone might belimited. As mentioned before, simply filtering out spam willnot effectively cut off the botnet’s C&C. The reason is thateven if carriers dump spam-like SMS messages into a spamfolder like email service providers do, spam messages willstill reach target phones, stay at a less noticeable place—thespam folder and get commands executed. Black-listing andSMS sending/receiving rate-limiting may be difficult becauseour design attempts to minimize the total number of messagessent/received and to balance the load on each bot. As always,matching signatures extracted from known bots’ messagescan be bypassed by malicious messages with completely newformats or contents. To differentiate between mobile bots andnormal phones, the detector at the SMSC needs to extract moredistinctive features from SMS traffic patterns. For example,normal phones may have regularities in whom they sendmessages to and the sending frequency [22]. The detectorcan therefore build normal profiles and identify anomaliesaccordingly. The detector may also adopt a high-level viewfor detection. As our botnet utilizes a P2P architecture, theresultant network topology stemmed from SMS activities maybe different from that formed by benign phones, given thefact that P2P applications are rare in today’s mobile phonenetworks.
10
V. RELATED WORK
The research areas most relevant to our work are P2P-basedbotnets and botnet C&C evaluation. Wang et al. [23] proposedthe design of an advanced hybrid P2P botnet that implementedboth push and pull C&C mechanisms and studied its resilience.In [24] they conducted a systematic study on P2P botnets in-cluding bot candidate selection and network construction, andfocused on index poisoning and Sybil attacks. Overbot [25]is a botnet protocol based on Kademlia. The strength of thisprotocol lies in its stealth in the communication between thebots and the botmaster leveraging a public-key model. Daviset al. [26] compared the performance of Overnet with thatof Gnutella and other complex network models under threedisinfection strategies. Singh et al. [27] evaluated the viabilityof email communication for botnet C&C. Nappa et al. [28]proposed a botnet model exploiting Skype’s overlay networkto make botnet traffic undistinguishable with legitimate Skypetraffic. All of these dealt with botnets in the PC world, whileour work targets mobile botnets, in which C&C channel andnetwork structure requirements are different, in view of uniqueservices and resource constraints on smartphones. Dagon etal. [29] proposed key metrics to measure botnets’ utility forconducting malicious activities and considered the ability ofdifferent response techniques to disrupt botnets.
There are numerous efforts on mobile malware focusing onvulnerability analysis and attack measurements. The formerinvestigates ways of exploiting vulnerable mobile services,such as Bluetooth and MMS [30], [31], while the lattercharacterizes the feasibility and impact of large-scale attackstargeting mobile networks, mostly Denial of Service (DoS)attacks [32]. There are two papers treating the idea of mobilebotnets [4], [5]. The first paper was not concerned with C&Cor the network architecture but focused on the attack aspect—whether compromised mobile phones can generate sufficienttraffic to launch a DoS attack. The second paper investigatedusing Bluetooth as a C&C to construct mobile botnets withoutany analysis on their network structure.
VI. CONCLUSION AND FUTURE WORK
As smartphones are getting more powerful, they becomepotential targets of profit-driven attacks, especially botnets. Inthis paper, we presented the design of a mobile botnet thatutilizes SMS to transmit C&C messages and a P2P structureto construct its topology. Specifically, we used simulationto compare two types of P2P architectures—the structuredand the unstructured—based on several metrics critical tothe mobile botnet performance. We found that the modifiedKademlia—a structured architecture—is more suitable forour botnet in terms of message overhead, delay, and load-balancing. We also investigated possible ways to counter themobile botnet threat. As future work, we plan to combineSMS-based C&C and IP-based C&C utilizing existing DHTor P2P networks. Since our current work focuses on the aspectsof feasibility and efficiency in botnet design, we would alsolike to measure robustness, i.e., how our botnet performs underdifferent detection and mitigation strategies.
REFERENCES
[1] : Malware infects more than 50 android apps: First biginfection highlights vulnerability of android’s openness.http://www.msnbc.msn.com/id/41867328/ns/technologyand science-security/t/malware-infects-more-android-apps/
[2] SymbOS.Exy.A. http://www.symantec.com/security response/writeup.jsp?docid=2009-022010-4100-99
[3] Ikee.B. http://www.symantec.com/security response/writeup.jsp?docid=2009-112217-4458-99
[4] P.Traynor, M.Lin, M.Ongtang, V.Rao, T.Jaeger, P.McDaniel, T.L.Porta:On cellular botnets: Measuring the impact of malicious devices on acellular network core. In: Proceedings of the 12th ACM Conference onComputer and Communications Security (CCS’09)
[5] Singh, K., Sangal, S., Jain, N., Traynor, P., Lee, W.: Evaluating bluetoothas a medium for botnet command and control. In: Proceedings of theInternational Conference on Detection of Intrusions and Malware, andVulnerability Assessment (DIMVA 2010)
[6] : Htc bluetooth vulnerability. http://www.cio.com/article/497146/HTC Smartphones Left Vulnerable to Bluetooth Attack
[7] C.Mulliner, C.Miller: Fuzzing the phone in your phone. In: BlackHatSecurity Conference, 2009
[8] SMS. http://en.wikipedia.org/wiki/SMS[9] : China cracks down on sms spam.
http://www.redherring.com/Home/19081[10] textPlus. http://www.textplus.com/[11] : Textfree unlimited. http://itunes.apple.com/us/app/textfree-unlimited-
send-text/id305925151?mt=8[12] : Gsma launches sms spam reporting service.
http://www.pcworld.com/businesscenter/article/192469/gsma launches sms spam reporting service.html
[13] Maymounkov, P., Mazieres, D.: Kademlia: A peer-to-peer informationsystem based on the xor metric. In: IPTPS, 2002
[14] Chawathe, Y., Ratnasamy, S., Breslau, L., Lanham, N., Shenker, S.:Making gnutellalike p2p systems scalable. In: ACM SIGCOMM, 2003
[15] Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.:Chord: A scalable peer-to-peer lookup service for internet applications.In: ACM SIGCOMM 2001
[16] OverSim. http://www.oversim.org/[17] : Sms market statistics 2009. http://www.massmailsoftware.com
/blog/2010/04/sms-market-statistics-2009-know-your-customer/[18] : More than text: mobile habits of teens. http://www.atelier-
us.com/mobile-wireless/article/more-than-text-mobile-habits-of-teens[19] : Mobile phone spam. http://en.wikipedia.org/wiki/Mobile phone spam[20] : Researcher says app store open to malware.
http://www.iphonealley.com/current/researcher-says-app-store-open-to-malware
[21] Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phoneapplication certification. In: Proceedings of the 16th ACM conferenceon Computer and communications security (CCS ’09)
[22] Yan, G., Eidenbenz, S., Galli, E.: Sms-watchdog: Profiling socialbehaviors of sms users for anomaly detection. In: Proceedings ofthe 12th International Symposium on Recent Advances in IntrusionDetection (RAID’09)
[23] Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet.In: HotBots’07
[24] Wang, P., Wu, L., Aslam, B., Zou, C.C.: A systematic study on peer-to-peer botnets. In: ICCCN 2009
[25] Starnberger, G., Kruegel, C., Kirda, E.: Overbot - a botnet protocolbased on kademlia. In: 4TH INTERNATIONAL CONFERENCE ONSECURITY AND PRIVACY IN COMMUNICATION NETWORKS(SECURECOMM’08)
[26] Davis, C.R., Neville, S., Fernandez, J.M., Robert, J.M., McHugh, J.:Structured peer-to-peer overlay networks: Ideal botnets command andcontrol infrastructures? In: Proceedings of 13th European Symposiumon Research in Computer Security (ESORICS’08)
[27] Singh, K., Srivastava, A., Giffin, J., Lee, W.: Evaluating email’sfeasibility for botnet command and control. In: Proceedings of 38thAnnual IEEE/IFIP International Conference on Dependable Systems andNetworks (DSN’08)
[28] Nappa, A., Fattori, A., Balduzzi, M., Dell’Amico, M., Cavallaro, L.:Take a deep breath: A stealthy, resilient and cost-effective botnet usingskype. In: Proceedings of 7th International Conference on Detection ofIntrusions and Malware, and Vulnerability Assessment (DIMVA’10)
11
[29] Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures.In: Proceedings of the 23 Annual Computer Security ApplicationsConference (ACSAC’07)
[30] Bose, A., G.Shin, K.: On mobile viruses exploiting messaging andbluetooth services. In: Proceedings of the 2nd International Conferenceon Security and Privacy in Communication Networks (SecureComm’06)
[31] Racic, R., Ma, D., Chen, H.: Exploiting mms vulnerabilities tostealthily exhaust mobile phone’s battery. In: Proceedings of the 2ndInternational Conference on Security and Privacy in CommunicationNetworks (SecureComm’06)
[32] Enck, W., Traynor, P., McDaniel, P., Porta, T.L.: Exploiting openfunctionality in sms-capable cellular networks. In: Proceedings of the12th ACM Conference on Computer and Communications Security(CCS’05)
12